Is fuzzing an effective tool for spotting cross-site scripting vulnerabilities?

In short, yes, it is. For the uninitiated, fuzzing is the process of finding flaws in software by sending it varying input repeatedly, trying to cause the target program to hiccup or crash. For years, researchers have used fuzzers effectively to find buffer-overflow flaws. In such analyses, the researcher can use tools like the free General Purpose Fuzzer or the commercial Mu-4000 fuzzing appliance. To look for an elusive flaw, a fuzzer may send billions of user input variations over the course of several weeks, automating the analysis process. There are a lot of
free fuzzers that offer such services.

With regard to cross-site scripting (XSS), a fuzzer can enter various browser scripts into a target Web application,...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

varying the strings, functionality, encoding, size, and other aspects of the user input to see if a target Web application will reflect or store and return the input back to the researcher without any filtering. If the fuzzer's dangerous script does come back unimpeded, the target application is vulnerable to an XSS attack. An attacker can then enter a script into the application and get it to run on users' browsers.

In July 2007, Google publicly announced that it was working on an XSS fuzzer for its own internal use. The project, called Lemon, shows Google's awareness of the cross-site scripting threat and that fuzzers can help find such flaws. A few XSS vulnerabilities have been discovered in Google applications over the past year. Lemon is designed to find the flaws – and have Google fix them -- before attackers can exploit the vulnerabilities. Google has not released Lemon for public use, but its employees have talked publicly about the tool.

Other free, open source tools are starting to tackle the XSS fuzzing issue, including the WebScarab scanning tool from the Open Web Application Security Project (OWASP). The project has a nice write-up about how to use WebScarab as an XSS fuzzer.

Fuzzing is useful, but the testing process can't find all flaws. Fuzzing software tends to be pretty unintelligent; it just shoots a bunch of junk -- carefully selected junk, but junk nonetheless -- at a target hoping to find some weird reaction. The weird reaction, however, may be too subtle for the fuzzer to detect. Also, the input launched by the fuzzer may not cover all of the required technique combinations to trigger a flaw in the target software. Thus, fuzzing is not enough by itself to ensure a program is secure. Fuzzing should be part of a comprehensive software-testing regimen, which includes architecture review, code review and detailed testing.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy